US8321934B1 - Anti-phishing early warning system based on end user data submission statistics - Google Patents

Anti-phishing early warning system based on end user data submission statistics Download PDF

Info

Publication number
US8321934B1
US8321934B1 US12/115,352 US11535208A US8321934B1 US 8321934 B1 US8321934 B1 US 8321934B1 US 11535208 A US11535208 A US 11535208A US 8321934 B1 US8321934 B1 US 8321934B1
Authority
US
United States
Prior art keywords
confidential information
website
submission
detecting
program code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US12/115,352
Inventor
Shaun Cooley
William E. Sobel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gen Digital Inc
Original Assignee
Symantec Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Symantec Corp filed Critical Symantec Corp
Priority to US12/115,352 priority Critical patent/US8321934B1/en
Assigned to SYMANTEC CORPORATION reassignment SYMANTEC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SOBEL, WILLIAM E., COOLEY, SHAUN
Application granted granted Critical
Publication of US8321934B1 publication Critical patent/US8321934B1/en
Assigned to JPMORGAN, N.A. reassignment JPMORGAN, N.A. SECURITY AGREEMENT Assignors: BLUE COAT LLC, LIFELOCK, INC,, SYMANTEC CORPORATION, SYMANTEC OPERATING CORPORATION
Assigned to NortonLifeLock Inc. reassignment NortonLifeLock Inc. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SYMANTEC CORPORATION
Assigned to BANK OF AMERICA, N.A., AS COLLATERAL AGENT reassignment BANK OF AMERICA, N.A., AS COLLATERAL AGENT SECURITY AGREEMENT Assignors: NortonLifeLock Inc.
Assigned to BANK OF AMERICA, N.A., AS COLLATERAL AGENT reassignment BANK OF AMERICA, N.A., AS COLLATERAL AGENT NOTICE OF SUCCESSION OF AGENCY (REEL 050926 / FRAME 0560) Assignors: JPMORGAN CHASE BANK, N.A.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • This invention pertains generally to computer security, and more specifically to using end user data submission statistics to protect users from phishing attacks.
  • Phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are commonly made by sending fraudulent emails or instant messages, and enticing users to click on a link and submit personal information to what appears to be a legitimate website.
  • phishing sites that do not imitate authentic sites, such as fake stores, are even more difficult to detect. Once a phishing site is discovered, new protections are provided to anti-phishing solutions to ensure users are protected until the site is shut down.
  • phishing attacks can succeed by producing a large number of phishing sites quickly, even where each site only collects confidential information concerning a few thousand users before being shut down. It would be desirable to robustly protect users from such phishing attacks.
  • Websites used for phishing are detected by analyzing end user confidential data submission statistics.
  • a central process receives data indicating confidential information submitted to websites from a plurality of user computers.
  • the received data is aggregated and analyzed, for example through statistical profiling.
  • anomalous behavior concerning submission of confidential information to websites is detected, such ds an unexpected, rapid increase in the amount of confidential information submitted to a given website.
  • Such anomalous behavior indicates that the website is being used for phishing.
  • Responsive to detecting the anomalous behavior further action is taken to protect users from submitting confidential information to that website. For example, an alert can be sent to an appropriate party or automated system, a protective measure against the site can be published, the site can be added to a blacklist or a procedure to have the site shut down can be initiated.
  • FIG. 1 is a block diagram illustrating a system for transmitting end user data concerning submitted confidential information central server for statistical analysis; according to some embodiments of the present invention.
  • FIG. 2 is a block diagram illustrating a system for aggregating submitted end user data and detecting anomalous behavior indicative of phishing attacks, according to some embodiments of the present invention.
  • FIG. 1 illustrates system 100 for transmitting end user data 105 concerning confidential information 111 submitted to websites 103 to a central server 119 for statistical analysis, according to some embodiments of the present invention.
  • each illustrated component represents a collection of functionalities which can be implemented as software, hardware, firmware or any combination of these.
  • a component can be implemented as software, it can be implemented as a standalone program, but can also be implemented in other ways, for example as part of a larger program, as plurality of separate programs, as a kernel loadable module, as one or more device drivers or as one or more statically or dynamically linked libraries.
  • a tracking component 101 tracks websites 103 visited by a user. Individual tracking components 101 run on each of a plurality of user computers 113 .
  • FIG. 1 illustrates three user computers 113 as an example, but it is to be understood that typically the number would be much larger.
  • the tracking component 101 is implemented as a web browser plug-in that is capable to tracking user browsing history.
  • the tracking component 101 can be implemented in other ways, for example as an HTTP/HTTPS proxy (local or remote, configured or transparent), or as a component that parses a user's web browser history.
  • the implementation mechanics of tracking websites 103 visited by users is within the skill set of those of ordinary skill in the relevant art, and the usage thereof within the context of the present invention will be readily apparent to one of such a skill level in light of this specification.
  • a monitoring component 109 monitors Outbound confidential information 111 .
  • the monitoring component consists of both a database 115 (or other suitable storage mechanism) for storing the confidential information 111 , and a searching component 107 for searching outbound network traffic for occurrences of this confidential data 111 .
  • the searching component 107 is implemented as a web browser plug-in, but it can also be implemented in other ways, such as a HTTP/HTTPS proxy (local or remote, configured or transparent).
  • the monitoring component 109 works in conjunction with the tracking component 101 to determine what sites 103 are visited and what confidential information 111 is transmitted to each visited site 103 .
  • a data submission component 117 submits this data 105 to a central repository for statistical analysis, as described in greater detail below.
  • the data submission component 117 transmits the data 105 to a central computer security server 119 , which receives such data 105 from each of the plurality of user computers 113 .
  • the data 105 transmitted to the server 119 can be kept anonymous.
  • user identifying information can be omitted, as a general summary of the submitted confidential information 111 is sufficient for statistical analysis.
  • the data 105 summarizing a submission of confidential information 111 could be in a format such as “1 VISA numbers, 1 pin number, 1 social security number, 1 name, 1 address, 2 phone numbers, 1 DOB submitted to amazon.com.”
  • the data submission component 117 is illustrated as running on the client 113 and transmitting raw data 105 to the server 119 , it is to be understood that in some embodiments, clients 113 can perform statistical compilation on the data 105 locally, and then transmit compiled statistics concerning confidential information 111 submitted to various websites 103 . Whether the statistical compilation is performed by clients 113 or a server 119 , or distributed between such computing devices in any combination, is a variable design choice.
  • a backend component 205 running on the server 119 collects data 105 submitted by the plurality of user computers 113 .
  • the backend component 205 typically comprises a large database (or other suitable storage mechanism) 207 , and a well defined interface 209 that allows the data submission components 117 running on user computers 113 to submit data 105 .
  • the backend component 205 aggregates the data 105 submitted from the various user computers 113 , and stores the aggregated data 203 in the database 207 for statistical analysis as described below.
  • An anomalous behavior identification component 211 accesses the aggregated data 203 stored in the database 207 to identify anomalies in the data 105 being submitted to any given website 103 .
  • the corresponding analysis performed by the anomalous behavior identification component 211 can be as simple as detecting a spike in submission confidential information 111 to a given website 103 , or as complicated as adaptive statistical anomaly detection, which applies statistical usage profiling to continuously modify a baseline, by which all confidential information disclosure activity is measured to identify anomalous behavior.
  • the anomalous behavior identification component 211 maintains, two sets of usage data (not illustrated), a long-term confidential information 111 disclosure activity profile and a short-term confidential information 111 disclosure profile.
  • the long-term disclosure profile encompasses a blend of confidential information 111 disclosure patterns observed over a long period of time, while the short-term disclosure profile represents the disclosure patterns over a short period of time.
  • the anomalous behavior identification component 211 compares the short-term profile to the long-term profile, and detects statistically significant deviations. Such a detected deviation is considered an indication of a phishing attack, and is processed appropriately as described below.
  • the magnitude of deviation which is considered to be statistically significant is a variable design parameter, as is what specific periods of time constitute “long” and “short” term.
  • the anomalous behavior identification component 211 rolls the short-term observed usage into the long-term usage profile, to account for legitimate changes in website 103 behaviors.
  • This type of analysis would recognize, e.g., the differences between a new, legitimate online store that slowly grows in popularity and a phishing attack that receives thousands of hits in the first few hours. Further, the thresholds in this form of adaptive analysis can be tuned over time based, on observed attacks.
  • the anomalous behavior identification component 211 would typically value different forms of confidential information 111 differently, e.g., submission of a social security number or PIN code should occur much less frequently than an email address or credit card number.
  • a reaction component 201 can take appropriate action as desired. What specific action to take responsive to detecting anomalous behavior indicating a phishing attack is a variable design choice.
  • the reaction component 201 transmits an alert 213 to a centralized, automated computer security system 215 that can publish any of a number of protective measures against the attack, such as a new rule for an anti-phishing product, or a new entry in a database of known bad sites 103 .
  • the alert 213 can also be sent to a human technician (not illustrated), who can verify that the anomalous behavior in fact indicates a phishing attack. The technician could then publish a protective measure against the attack, or forward the alert to the automated system 215 .
  • the automated system 215 (or the technician) can also submit traceable dummy data to the detected phishing site 103 , and initiate an interaction with the hosting ISP or registrar to have the site 103 taken down.
  • the reaction component 201 transmits appropriate warnings 217 to users, indicating the site 103 has been identified as malicious.
  • computer security investigators and companies would have a statistically significant view of confidential information 111 disclosures on the Internet, providing near real-time information to assist in the identification, shutdown, and protection against phishing attacks.
  • the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof.
  • the particular naming and division of the portions, modules, agents, managers, components, functions, procedures, actions, layers, features, attributes, methodologies and other aspects are not mandatory or significant, and the mechanisms that implement the invention or its features may have different names, divisions and/or formats.
  • the portions, modules, agents, managers, components, functions, procedures, actions, layers, features, attributes, methodologies and other aspects of the invention can be implemented as software, hardware, firmware or any combination of the three.
  • a component of the present invention is implemented as software
  • the component can be implemented as a script, as a standalone program, as part of a larger program, as a plurality of separate scripts and/or programs, as a statically or dynamically linked library, as a kernel loadable module, as a device driver, and/or in every and any other way known now or in the future to those of skill in the art of computer programming.
  • the present invention is in no way limited to implementation in any specific programming language, or for any specific operating system or environment.
  • the software components thereof can be stored on computer readable media as computer program products.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Websites used for phishing are detected by analyzing end user confidential data submission statistics. A central process receives data indicating confidential information submitted to websites from a plurality of user computers. The received data is aggregated and analyzed, for example through statistical profiling. Through the analysis of the aggregated data, anomalous behavior concerning submission of confidential information to websites is detected, such is an unexpected, rapid increase in the amount of confidential information submitted to a given website. Responsive to detecting the anomalous behavior, further action is taken to protect users from submitting confidential information to that website. For example, an alert can be sent, a protective measure against the site can be published, the site can be added to a blacklist or a procedure to have the site shut down can be initiated.

Description

TECHNICAL FIELD
This invention pertains generally to computer security, and more specifically to using end user data submission statistics to protect users from phishing attacks.
BACKGROUND
Computer users are often victimized by phishing attacks, in which they unknowingly provide personal and confidential information to malicious websites. Phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are commonly made by sending fraudulent emails or instant messages, and enticing users to click on a link and submit personal information to what appears to be a legitimate website.
Existing anti-phishing solutions use databases of known, active phishing sites in combination with end-user heuristic based techniques to determine whether a web site which is requesting information is trustworthy. Such database information is often not available to these solutions until hours or days after a phishing site goes live. The reason for this delay is that it often takes a period of time for a new phishing site to be discovered, and then for identifying information to be distributed to security software publishers and made available to their users. During this period of time, users may unknowingly expose their personal information to a malicious website without any warnings from their installed anti-phishing solution.
Additionally, heuristic detection approaches are becoming less effective as phishers become better at replicating original sites. Furthermore, phishing sites that do not imitate authentic sites, such as fake stores, are even more difficult to detect. Once a phishing site is discovered, new protections are provided to anti-phishing solutions to ensure users are protected until the site is shut down.
Because there can be a gap between the launch of a new phishing site and its detection, phishing attacks can succeed by producing a large number of phishing sites quickly, even where each site only collects confidential information concerning a few thousand users before being shut down. It would be desirable to robustly protect users from such phishing attacks.
SUMMARY
Websites used for phishing are detected by analyzing end user confidential data submission statistics. A central process receives data indicating confidential information submitted to websites from a plurality of user computers. The received data is aggregated and analyzed, for example through statistical profiling. Through the analysis of the aggregated data, anomalous behavior concerning submission of confidential information to websites is detected, such ds an unexpected, rapid increase in the amount of confidential information submitted to a given website. Such anomalous behavior indicates that the website is being used for phishing. Responsive to detecting the anomalous behavior, further action is taken to protect users from submitting confidential information to that website. For example, an alert can be sent to an appropriate party or automated system, a protective measure against the site can be published, the site can be added to a blacklist or a procedure to have the site shut down can be initiated.
The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram illustrating a system for transmitting end user data concerning submitted confidential information central server for statistical analysis; according to some embodiments of the present invention.
FIG. 2 is a block diagram illustrating a system for aggregating submitted end user data and detecting anomalous behavior indicative of phishing attacks, according to some embodiments of the present invention.
The Figures depict embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.
DETAILED DESCRIPTION
FIG. 1 illustrates system 100 for transmitting end user data 105 concerning confidential information 111 submitted to websites 103 to a central server 119 for statistical analysis, according to some embodiments of the present invention. It is to be understood that although various components are illustrated in FIG. 1 as separate entities, each illustrated component represents a collection of functionalities which can be implemented as software, hardware, firmware or any combination of these. Where a component is implemented as software, it can be implemented as a standalone program, but can also be implemented in other ways, for example as part of a larger program, as plurality of separate programs, as a kernel loadable module, as one or more device drivers or as one or more statically or dynamically linked libraries.
As illustrated in FIG. 1, a tracking component 101 tracks websites 103 visited by a user. Individual tracking components 101 run on each of a plurality of user computers 113. FIG. 1 illustrates three user computers 113 as an example, but it is to be understood that typically the number would be much larger. In one embodiment, the tracking component 101 is implemented as a web browser plug-in that is capable to tracking user browsing history. In other embodiments, the tracking component 101 can be implemented in other ways, for example as an HTTP/HTTPS proxy (local or remote, configured or transparent), or as a component that parses a user's web browser history. The implementation mechanics of tracking websites 103 visited by users is within the skill set of those of ordinary skill in the relevant art, and the usage thereof within the context of the present invention will be readily apparent to one of such a skill level in light of this specification.
A monitoring component 109 monitors Outbound confidential information 111. The monitoring component consists of both a database 115 (or other suitable storage mechanism) for storing the confidential information 111, and a searching component 107 for searching outbound network traffic for occurrences of this confidential data 111. In one embodiment, the searching component 107 is implemented as a web browser plug-in, but it can also be implemented in other ways, such as a HTTP/HTTPS proxy (local or remote, configured or transparent).
The implementation mechanics of storing confidential information 111 and searching outbound network traffic for confidential information 111 are within the skill set of those of ordinary skill in the relevant art, and the usage thereof within the context of the present invention will be readily apparent to one of such a skill level in light of this specification. It is to be understood that what information is considered to be confidential is a variable design parameter. In different embodiments, specific data and types of information can be classified as confidential by users, system administrators, publishers of security software and/or other parties as desired.
The monitoring component 109 works in conjunction with the tracking component 101 to determine what sites 103 are visited and what confidential information 111 is transmitted to each visited site 103. As illustrated, a data submission component 117 submits this data 105 to a central repository for statistical analysis, as described in greater detail below.
In one embodiment, the data submission component 117 transmits the data 105 to a central computer security server 119, which receives such data 105 from each of the plurality of user computers 113. To maintain user privacy, the data 105 transmitted to the server 119 can be kept anonymous. To this end, user identifying information can be omitted, as a general summary of the submitted confidential information 111 is sufficient for statistical analysis. For example, the data 105 summarizing a submission of confidential information 111 could be in a format such as “1 VISA numbers, 1 pin number, 1 social security number, 1 name, 1 address, 2 phone numbers, 1 DOB submitted to amazon.com.”
Although the data submission component 117 is illustrated as running on the client 113 and transmitting raw data 105 to the server 119, it is to be understood that in some embodiments, clients 113 can perform statistical compilation on the data 105 locally, and then transmit compiled statistics concerning confidential information 111 submitted to various websites 103. Whether the statistical compilation is performed by clients 113 or a server 119, or distributed between such computing devices in any combination, is a variable design choice.
Turning now to FIG. 2, a backend component 205 running on the server 119 collects data 105 submitted by the plurality of user computers 113. The backend component 205 typically comprises a large database (or other suitable storage mechanism) 207, and a well defined interface 209 that allows the data submission components 117 running on user computers 113 to submit data 105. The backend component 205 aggregates the data 105 submitted from the various user computers 113, and stores the aggregated data 203 in the database 207 for statistical analysis as described below.
An anomalous behavior identification component 211 accesses the aggregated data 203 stored in the database 207 to identify anomalies in the data 105 being submitted to any given website 103. The corresponding analysis performed by the anomalous behavior identification component 211 can be as simple as detecting a spike in submission confidential information 111 to a given website 103, or as complicated as adaptive statistical anomaly detection, which applies statistical usage profiling to continuously modify a baseline, by which all confidential information disclosure activity is measured to identify anomalous behavior.
In one adaptive statistical anomaly detection form, the anomalous behavior identification component 211 maintains, two sets of usage data (not illustrated), a long-term confidential information 111 disclosure activity profile and a short-term confidential information 111 disclosure profile. The long-term disclosure profile encompasses a blend of confidential information 111 disclosure patterns observed over a long period of time, while the short-term disclosure profile represents the disclosure patterns over a short period of time. To detect potential phishing attacks, the anomalous behavior identification component 211 compares the short-term profile to the long-term profile, and detects statistically significant deviations. Such a detected deviation is considered an indication of a phishing attack, and is processed appropriately as described below. Of course, the magnitude of deviation which is considered to be statistically significant is a variable design parameter, as is what specific periods of time constitute “long” and “short” term.
Over time, the anomalous behavior identification component 211 rolls the short-term observed usage into the long-term usage profile, to account for legitimate changes in website 103 behaviors. This type of analysis would recognize, e.g., the differences between a new, legitimate online store that slowly grows in popularity and a phishing attack that receives thousands of hits in the first few hours. Further, the thresholds in this form of adaptive analysis can be tuned over time based, on observed attacks. The anomalous behavior identification component 211 would typically value different forms of confidential information 111 differently, e.g., submission of a social security number or PIN code should occur much less frequently than an email address or credit card number.
It is to be understood that various forms and methodologies of utilizing statistical analysis to detect anomalous behavior are known to those of ordinary skill in the art. The use of such statistical analysis within the context of the present invention will be readily apparent to those of such a skill level in light of the present specification. It is to be understood that the forms of statistical analysis described in detail above are simply examples.
Once anomalous behavior indicating a phishing attack is detected, a reaction component 201 can take appropriate action as desired. What specific action to take responsive to detecting anomalous behavior indicating a phishing attack is a variable design choice. In one embodiment, the reaction component 201 transmits an alert 213 to a centralized, automated computer security system 215 that can publish any of a number of protective measures against the attack, such as a new rule for an anti-phishing product, or a new entry in a database of known bad sites 103. The alert 213 can also be sent to a human technician (not illustrated), who can verify that the anomalous behavior in fact indicates a phishing attack. The technician could then publish a protective measure against the attack, or forward the alert to the automated system 215. The automated system 215 (or the technician) can also submit traceable dummy data to the detected phishing site 103, and initiate an interaction with the hosting ISP or registrar to have the site 103 taken down. In some embodiments, the reaction component 201 transmits appropriate warnings 217 to users, indicating the site 103 has been identified as malicious. With wide distribution of such as system, computer security investigators and companies would have a statistically significant view of confidential information 111 disclosures on the Internet, providing near real-time information to assist in the identification, shutdown, and protection against phishing attacks.
As will be understood by those familiar with the art, the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. Likewise, the particular naming and division of the portions, modules, agents, managers, components, functions, procedures, actions, layers, features, attributes, methodologies and other aspects are not mandatory or significant, and the mechanisms that implement the invention or its features may have different names, divisions and/or formats. Furthermore, as will be apparent to one of ordinary skill in the relevant art, the portions, modules, agents, managers, components, functions, procedures, actions, layers, features, attributes, methodologies and other aspects of the invention can be implemented as software, hardware, firmware or any combination of the three. Of course, wherever a component of the present invention is implemented as software, the component can be implemented as a script, as a standalone program, as part of a larger program, as a plurality of separate scripts and/or programs, as a statically or dynamically linked library, as a kernel loadable module, as a device driver, and/or in every and any other way known now or in the future to those of skill in the art of computer programming. Additionally, the present invention is in no way limited to implementation in any specific programming language, or for any specific operating system or environment. Furthermore, it will be readily apparent to those of ordinary skill in the relevant art that where the present invention is implemented in whole or in part in software; the software components thereof can be stored on computer readable media as computer program products. Any form of computer readable medium can be used in this context, such as magnetic or optical storage media. Additionally, software portions of the present invention can be instantiated (for example as object code or executable images) within the memory of any programmable computing device. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

Claims (12)

1. A computer implemented method for detecting malicious websites based on end user data submission statistics, the method comprising the steps of:
receiving data from each of a plurality of user computers which has been marked by the user computers as confidential information;
aggregating data received from the plurality of user computers;
analyzing the aggregated data, comprising:
performing adaptive statistical anomaly detection, by applying statistical usage profiling to continuously modify a baseline;
measuring confidential information disclosure activity in relation to the baseline;
comparing the short-term profile to the long-term profile; and
detecting a statistically significant deviation between the two profiles, the deviation indicating a short term increase in submission of confidential information to a website;
based on the statistical analysis, detecting anomalous behavior concerning submission of aggregated confidential information received from the plurality of user computers to a website; and
responsive to detecting the anomalous behavior concerning submission of confidential information to a website, performing at least one additional step to protect users from submitting confidential information to that website.
2. The method of claim 1 wherein detecting anomalous behavior concerning submission of aggregated confidential information to a website further comprises:
detecting an increase in submission of confidential information to a website.
3. The method of claim 1 further comprising:
over a period of time, incorporating short-term observed usage into the long-term usage profile, to account for legitimate changes in website behaviors.
4. The method of claim 1 wherein performing at least one additional step to protect users from submitting confidential information to the website further comprises:
transmitting an alert to at least one destination from a group of destinations comprising: an automated computer security system, a technician, a system administrator and a user.
5. The method of claim 1 wherein performing at least one additional step to protect users from submitting confidential information to the website further comprises performing at least one step from a group of steps consisting of:
publishing a new rule to protect against submission of confidential information to the website;
adding the website to a list of known bad sites;
transmitting a warning concerning the site to at least one user; and
initiating a process to have the website shut down.
6. At least one non-transitory computer readable medium storing a computer program product for detecting malicious websites based on end user data submission statistics, the computer program product comprising:
program code for receiving data from each of a plurality of user computers which has been marked by the user computers as confidential information;
program code for aggregating data received from the plurality of user computers;
program code for analyzing the aggregated data, comprising:
performing adaptive statistical anomaly detection, by applying statistical usage profiling to continuously modify a baseline;
measuring confidential information disclosure activity in relation to the baseline;
comparing the short-term profile to the long-term profile; and
detecting a statistically significant deviation between the two profiles, the deviation indicating a short term increase in submission of confidential information to a website
based on the statistical analysis, program code for detecting anomalous behavior concerning submission of aggregated confidential information received from the plurality of user computers to a website; and
program code for responsive to detecting the anomalous behavior concerning submission of confidential information to a website, performing at least one additional step to protect users from submitting confidential information to that website.
7. The computer program product of claim 6 wherein the program code for detecting anomalous behavior concerning submission of aggregated confidential information to a website further comprises:
program code for detecting an increase in submission of confidential information to a website.
8. The computer program product of claim 6 further comprising:
program code for, over a period of time, incorporating short-term observed usage into the long-term usage profile, to account for legitimate changes in website behaviors.
9. The computer program product of claim 6 further comprising:
program code for, responsive to detecting the anomalous behavior concerning submission of confidential information to a website, determining the website is being used for phishing.
10. The computer program product of claim 6 wherein the program code for performing at least one additional step to protect users from submitting confidential information to the website further comprises:
program code for transmitting an alert to at least one destination from a group of destinations comprising:
an automated computer security system, a technician, a system administrator and a user.
11. The computer program product of claim 6 wherein the program code for performing at least one additional step to protect users from submitting confidential information to the website further comprises program code for performing at least one step from a group of steps consisting of:
publishing a new rule to protect against submission of confidential information to the website;
adding the website to a list of known bad sites;
transmitting a warning concerning the site to at least one user; and
initiating a process to have the website shut down.
12. A computer system for detecting malicious websites based on end user data submission statistics, the computer system comprising:
an interface to receive data from each of a plurality of user computers which has been marked by the user computers as confidential information;
a database to aggregate data received from the plurality of user computers;
an anomalous behavior ID component to analyze the aggregated data, and to detect anomalous behavior concerning submission of aggregated confidential information received from the plurality of user computers to a website, wherein analyzing the aggregated data comprises performing adaptive statistical anomaly detection, by applying statistical usage profiling to continuously modify a baseline, measuring confidential information disclosure activity in relation to the baseline, comparing the short-term profile to the long-term profile and detecting a statistically significant deviation between the two profiles, the deviation indicating a short term increase in submission of confidential information to a website; and
a reaction component to, responsive to detecting the anomalous behavior concerning submission of confidential information to a website from the statistical analysis, perform at least one additional step to protect users from submitting confidential information to that website.
US12/115,352 2008-05-05 2008-05-05 Anti-phishing early warning system based on end user data submission statistics Active 2030-11-26 US8321934B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/115,352 US8321934B1 (en) 2008-05-05 2008-05-05 Anti-phishing early warning system based on end user data submission statistics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/115,352 US8321934B1 (en) 2008-05-05 2008-05-05 Anti-phishing early warning system based on end user data submission statistics

Publications (1)

Publication Number Publication Date
US8321934B1 true US8321934B1 (en) 2012-11-27

Family

ID=47191032

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/115,352 Active 2030-11-26 US8321934B1 (en) 2008-05-05 2008-05-05 Anti-phishing early warning system based on end user data submission statistics

Country Status (1)

Country Link
US (1) US8321934B1 (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080276302A1 (en) * 2005-12-13 2008-11-06 Yoggie Security Systems Ltd. System and Method for Providing Data and Device Security Between External and Host Devices
US20090126003A1 (en) * 2007-05-30 2009-05-14 Yoggie Security Systems, Inc. System And Method For Providing Network And Computer Firewall Protection With Dynamic Address Isolation To A Device
US20090249465A1 (en) * 2008-03-26 2009-10-01 Shlomo Touboul System and Method for Implementing Content and Network Security Inside a Chip
US20100037321A1 (en) * 2008-08-04 2010-02-11 Yoggie Security Systems Ltd. Systems and Methods for Providing Security Services During Power Management Mode
US20100212012A1 (en) * 2008-11-19 2010-08-19 Yoggie Security Systems Ltd. Systems and Methods for Providing Real Time Access Monitoring of a Removable Media Device
US8527526B1 (en) * 2012-05-02 2013-09-03 Google Inc. Selecting a list of network user identifiers based on long-term and short-term history data
US8615807B1 (en) 2013-02-08 2013-12-24 PhishMe, Inc. Simulated phishing attack with sequential messages
US8635703B1 (en) * 2013-02-08 2014-01-21 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US8719940B1 (en) 2013-02-08 2014-05-06 PhishMe, Inc. Collaborative phishing attack detection
US8782197B1 (en) 2012-07-17 2014-07-15 Google, Inc. Determining a model refresh rate
GB2509766A (en) * 2013-01-14 2014-07-16 Wonga Technology Ltd Website analysis
US8874589B1 (en) 2012-07-16 2014-10-28 Google Inc. Adjust similar users identification based on performance feedback
US8886575B1 (en) 2012-06-27 2014-11-11 Google Inc. Selecting an algorithm for identifying similar user identifiers based on predicted click-through-rate
US8886799B1 (en) 2012-08-29 2014-11-11 Google Inc. Identifying a similar user identifier
US8914500B1 (en) 2012-05-21 2014-12-16 Google Inc. Creating a classifier model to determine whether a network user should be added to a list
US9053185B1 (en) 2012-04-30 2015-06-09 Google Inc. Generating a representative model for a plurality of models identified by similar feature data
US9065727B1 (en) 2012-08-31 2015-06-23 Google Inc. Device identifier similarity models derived from online event signals
US20150381654A1 (en) * 2013-07-05 2015-12-31 Tencent Technology (Shenzhen) Company Limited Method, device and system for detecting potential phishing websites
US9262629B2 (en) 2014-01-21 2016-02-16 PhishMe, Inc. Methods and systems for preventing malicious use of phishing simulation records
US9325730B2 (en) 2013-02-08 2016-04-26 PhishMe, Inc. Collaborative phishing attack detection
US9344449B2 (en) 2013-03-11 2016-05-17 Bank Of America Corporation Risk ranking referential links in electronic messages
US9398038B2 (en) 2013-02-08 2016-07-19 PhishMe, Inc. Collaborative phishing attack detection
US9407654B2 (en) 2014-03-20 2016-08-02 Microsoft Technology Licensing, Llc Providing multi-level password and phishing protection
US9497622B2 (en) 2005-12-13 2016-11-15 Cupp Computing As System and method for providing network security to mobile devices
US20170034211A1 (en) * 2015-07-27 2017-02-02 Swisscom Ag Systems and methods for identifying phishing websites
US9762614B2 (en) 2014-02-13 2017-09-12 Cupp Computing As Systems and methods for providing network security using a secure digital device
US9906554B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
US9973501B2 (en) 2012-10-09 2018-05-15 Cupp Computing As Transaction security systems and methods
TWI628941B (en) * 2015-10-22 2018-07-01 趨勢科技股份有限公司 Phishing detection by login page census
US11157976B2 (en) 2013-07-08 2021-10-26 Cupp Computing As Systems and methods for providing digital content marketplace security

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040111632A1 (en) 2002-05-06 2004-06-10 Avner Halperin System and method of virus containment in computer networks
US20050238005A1 (en) 2004-04-21 2005-10-27 Yi-Fen Chen Method and apparatus for controlling traffic in a computer network
US20050262559A1 (en) 2004-05-19 2005-11-24 Huddleston David E Method and systems for computer security
US20060212925A1 (en) 2005-03-02 2006-09-21 Markmonitor, Inc. Implementing trust policies
US20070192855A1 (en) * 2006-01-18 2007-08-16 Microsoft Corporation Finding phishing sites
US20070220595A1 (en) * 2006-02-10 2007-09-20 M Raihi David System and method for network-based fraud and authentication services
US20080288303A1 (en) * 2006-03-17 2008-11-20 Claria Corporation Method for Detecting and Preventing Fraudulent Internet Advertising Activity
US7797421B1 (en) * 2006-12-15 2010-09-14 Amazon Technologies, Inc. Method and system for determining and notifying users of undesirable network content
US7854001B1 (en) 2007-06-29 2010-12-14 Trend Micro Incorporated Aggregation-based phishing site detection

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040111632A1 (en) 2002-05-06 2004-06-10 Avner Halperin System and method of virus containment in computer networks
US20050238005A1 (en) 2004-04-21 2005-10-27 Yi-Fen Chen Method and apparatus for controlling traffic in a computer network
US20050262559A1 (en) 2004-05-19 2005-11-24 Huddleston David E Method and systems for computer security
US20060212925A1 (en) 2005-03-02 2006-09-21 Markmonitor, Inc. Implementing trust policies
US20070192855A1 (en) * 2006-01-18 2007-08-16 Microsoft Corporation Finding phishing sites
US20070220595A1 (en) * 2006-02-10 2007-09-20 M Raihi David System and method for network-based fraud and authentication services
US20080288303A1 (en) * 2006-03-17 2008-11-20 Claria Corporation Method for Detecting and Preventing Fraudulent Internet Advertising Activity
US7797421B1 (en) * 2006-12-15 2010-09-14 Amazon Technologies, Inc. Method and system for determining and notifying users of undesirable network content
US7854001B1 (en) 2007-06-29 2010-12-14 Trend Micro Incorporated Aggregation-based phishing site detection

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
A Behavior-based Approach Towards Statistics-Preserving Network Trace Anonymization Song, Yingbo. ProQuest Dissertations and Theses 2012. vol. 0984,Iss.0054;p.n/a;Source: ProQuest Dissertations and Theses. *
Integrated detection of anomalous behavior of computer infrastructures Maggi, F.; Zanero, S. Network Operations and Management Symposium (NOMS), 2012 IEEE (1542-1201) (978-1-4673-0267-8) 2012. p. 866-871. *
Measurement and vulnerability analysis of overlay networks and peer-to-peer systems Dhungel, Prithula. ProQuest Dissertations and Theses 2012. vol. 0984,Iss.1540;p.n/a. *
Official Action received from USPTO dated Apr. 27, 2011 for U.S. Appl. No. 12/124,999, filed May 21, 2008.
Official Action received from USPTO dated Oct. 21, 2011 for U.S. Appl. No. 12/124,999, filed May 21, 2008.

Cited By (93)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10621344B2 (en) 2005-12-13 2020-04-14 Cupp Computing As System and method for providing network security to mobile devices
US9747444B1 (en) 2005-12-13 2017-08-29 Cupp Computing As System and method for providing network security to mobile devices
US20080276302A1 (en) * 2005-12-13 2008-11-06 Yoggie Security Systems Ltd. System and Method for Providing Data and Device Security Between External and Host Devices
US11822653B2 (en) 2005-12-13 2023-11-21 Cupp Computing As System and method for providing network security to mobile devices
US10089462B2 (en) 2005-12-13 2018-10-02 Cupp Computing As System and method for providing network security to mobile devices
US20150215282A1 (en) 2005-12-13 2015-07-30 Cupp Computing As System and method for implementing content and network security inside a chip
US10313368B2 (en) 2005-12-13 2019-06-04 Cupp Computing As System and method for providing data and device security between external and host devices
US11461466B2 (en) 2005-12-13 2022-10-04 Cupp Computing As System and method for providing network security to mobile devices
US10417421B2 (en) 2005-12-13 2019-09-17 Cupp Computing As System and method for providing network security to mobile devices
US10541969B2 (en) 2005-12-13 2020-01-21 Cupp Computing As System and method for implementing content and network security inside a chip
US9497622B2 (en) 2005-12-13 2016-11-15 Cupp Computing As System and method for providing network security to mobile devices
US9781164B2 (en) 2005-12-13 2017-10-03 Cupp Computing As System and method for providing network security to mobile devices
US10839075B2 (en) 2005-12-13 2020-11-17 Cupp Computing As System and method for providing network security to mobile devices
US11652829B2 (en) 2007-03-05 2023-05-16 Cupp Computing As System and method for providing data and device security between external and host devices
US10999302B2 (en) 2007-03-05 2021-05-04 Cupp Computing As System and method for providing data and device security between external and host devices
US10419459B2 (en) 2007-03-05 2019-09-17 Cupp Computing As System and method for providing data and device security between external and host devices
US10567403B2 (en) 2007-03-05 2020-02-18 Cupp Computing As System and method for providing data and device security between external and host devices
US10951659B2 (en) 2007-05-30 2021-03-16 Cupp Computing As System and method for providing network and computer firewall protection with dynamic address isolation to a device
US9756079B2 (en) 2007-05-30 2017-09-05 Cupp Computing As System and method for providing network and computer firewall protection with dynamic address isolation to a device
US20090126003A1 (en) * 2007-05-30 2009-05-14 Yoggie Security Systems, Inc. System And Method For Providing Network And Computer Firewall Protection With Dynamic Address Isolation To A Device
US10904293B2 (en) 2007-05-30 2021-01-26 Cupp Computing As System and method for providing network and computer firewall protection with dynamic address isolation to a device
US10284603B2 (en) 2007-05-30 2019-05-07 Cupp Computing As System and method for providing network and computer firewall protection with dynamic address isolation to a device
US20180302444A1 (en) 2007-05-30 2018-10-18 Cupp Computing As System and method for providing network and computer firewall protection with dynamic address isolation to a device
US11757941B2 (en) 2007-05-30 2023-09-12 CUPP Computer AS System and method for providing network and computer firewall protection with dynamic address isolation to a device
US9391956B2 (en) 2007-05-30 2016-07-12 Cupp Computing As System and method for providing network and computer firewall protection with dynamic address isolation to a device
US10057295B2 (en) 2007-05-30 2018-08-21 Cupp Computing As System and method for providing network and computer firewall protection with dynamic address isolation to a device
US11050712B2 (en) 2008-03-26 2021-06-29 Cupp Computing As System and method for implementing content and network security inside a chip
US20090249465A1 (en) * 2008-03-26 2009-10-01 Shlomo Touboul System and Method for Implementing Content and Network Security Inside a Chip
US8869270B2 (en) 2008-03-26 2014-10-21 Cupp Computing As System and method for implementing content and network security inside a chip
US11757835B2 (en) 2008-03-26 2023-09-12 Cupp Computing As System and method for implementing content and network security inside a chip
US9843595B2 (en) 2008-08-04 2017-12-12 Cupp Computing As Systems and methods for providing security services during power management mode
US9106683B2 (en) 2008-08-04 2015-08-11 Cupp Computing As Systems and methods for providing security services during power management mode
US11947674B2 (en) 2008-08-04 2024-04-02 Cupp Computing As Systems and methods for providing security services during power management mode
US20100037321A1 (en) * 2008-08-04 2010-02-11 Yoggie Security Systems Ltd. Systems and Methods for Providing Security Services During Power Management Mode
US11775644B2 (en) 2008-08-04 2023-10-03 Cupp Computing As Systems and methods for providing security services during power management mode
US9516040B2 (en) 2008-08-04 2016-12-06 Cupp Computing As Systems and methods for providing security services during power management mode
US10084799B2 (en) 2008-08-04 2018-09-25 Cupp Computing As Systems and methods for providing security services during power management mode
US10404722B2 (en) 2008-08-04 2019-09-03 Cupp Computing As Systems and methods for providing security services during power management mode
US10951632B2 (en) 2008-08-04 2021-03-16 Cupp Computing As Systems and methods for providing security services during power management mode
US8631488B2 (en) * 2008-08-04 2014-01-14 Cupp Computing As Systems and methods for providing security services during power management mode
US11449613B2 (en) 2008-08-04 2022-09-20 Cupp Computing As Systems and methods for providing security services during power management mode
US11036836B2 (en) 2008-11-19 2021-06-15 Cupp Computing As Systems and methods for providing real time security and access monitoring of a removable media device
US11604861B2 (en) 2008-11-19 2023-03-14 Cupp Computing As Systems and methods for providing real time security and access monitoring of a removable media device
US8789202B2 (en) 2008-11-19 2014-07-22 Cupp Computing As Systems and methods for providing real time access monitoring of a removable media device
US10417400B2 (en) 2008-11-19 2019-09-17 Cupp Computing As Systems and methods for providing real time security and access monitoring of a removable media device
US20100212012A1 (en) * 2008-11-19 2010-08-19 Yoggie Security Systems Ltd. Systems and Methods for Providing Real Time Access Monitoring of a Removable Media Device
US9053185B1 (en) 2012-04-30 2015-06-09 Google Inc. Generating a representative model for a plurality of models identified by similar feature data
US8527526B1 (en) * 2012-05-02 2013-09-03 Google Inc. Selecting a list of network user identifiers based on long-term and short-term history data
US8914500B1 (en) 2012-05-21 2014-12-16 Google Inc. Creating a classifier model to determine whether a network user should be added to a list
US8886575B1 (en) 2012-06-27 2014-11-11 Google Inc. Selecting an algorithm for identifying similar user identifiers based on predicted click-through-rate
US8874589B1 (en) 2012-07-16 2014-10-28 Google Inc. Adjust similar users identification based on performance feedback
US8782197B1 (en) 2012-07-17 2014-07-15 Google, Inc. Determining a model refresh rate
US8886799B1 (en) 2012-08-29 2014-11-11 Google Inc. Identifying a similar user identifier
US9065727B1 (en) 2012-08-31 2015-06-23 Google Inc. Device identifier similarity models derived from online event signals
US10397227B2 (en) 2012-10-09 2019-08-27 Cupp Computing As Transaction security systems and methods
US9973501B2 (en) 2012-10-09 2018-05-15 Cupp Computing As Transaction security systems and methods
US11757885B2 (en) 2012-10-09 2023-09-12 Cupp Computing As Transaction security systems and methods
US10904254B2 (en) 2012-10-09 2021-01-26 Cupp Computing As Transaction security systems and methods
GB2509766A (en) * 2013-01-14 2014-07-16 Wonga Technology Ltd Website analysis
US9667645B1 (en) 2013-02-08 2017-05-30 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US8615807B1 (en) 2013-02-08 2013-12-24 PhishMe, Inc. Simulated phishing attack with sequential messages
US9398038B2 (en) 2013-02-08 2016-07-19 PhishMe, Inc. Collaborative phishing attack detection
US8966637B2 (en) 2013-02-08 2015-02-24 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US10187407B1 (en) 2013-02-08 2019-01-22 Cofense Inc. Collaborative phishing attack detection
US9591017B1 (en) 2013-02-08 2017-03-07 PhishMe, Inc. Collaborative phishing attack detection
US9356948B2 (en) 2013-02-08 2016-05-31 PhishMe, Inc. Collaborative phishing attack detection
US9246936B1 (en) 2013-02-08 2016-01-26 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US9253207B2 (en) 2013-02-08 2016-02-02 PhishMe, Inc. Collaborative phishing attack detection
US9674221B1 (en) 2013-02-08 2017-06-06 PhishMe, Inc. Collaborative phishing attack detection
US8635703B1 (en) * 2013-02-08 2014-01-21 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US10819744B1 (en) 2013-02-08 2020-10-27 Cofense Inc Collaborative phishing attack detection
US8719940B1 (en) 2013-02-08 2014-05-06 PhishMe, Inc. Collaborative phishing attack detection
US9325730B2 (en) 2013-02-08 2016-04-26 PhishMe, Inc. Collaborative phishing attack detection
US9053326B2 (en) 2013-02-08 2015-06-09 PhishMe, Inc. Simulated phishing attack with sequential messages
US9635042B2 (en) 2013-03-11 2017-04-25 Bank Of America Corporation Risk ranking referential links in electronic messages
US9344449B2 (en) 2013-03-11 2016-05-17 Bank Of America Corporation Risk ranking referential links in electronic messages
US9712562B2 (en) * 2013-07-05 2017-07-18 Tencent Technology (Shenzhen) Company Limited Method, device and system for detecting potential phishing websites
US20150381654A1 (en) * 2013-07-05 2015-12-31 Tencent Technology (Shenzhen) Company Limited Method, device and system for detecting potential phishing websites
US11157976B2 (en) 2013-07-08 2021-10-26 Cupp Computing As Systems and methods for providing digital content marketplace security
US9262629B2 (en) 2014-01-21 2016-02-16 PhishMe, Inc. Methods and systems for preventing malicious use of phishing simulation records
US20180205760A1 (en) 2014-02-13 2018-07-19 Cupp Computing As Systems and methods for providing network security using a secure digital device
US12034772B2 (en) 2014-02-13 2024-07-09 Cupp Computing As Systems and methods for providing network security using a secure digital device
US11316905B2 (en) 2014-02-13 2022-04-26 Cupp Computing As Systems and methods for providing network security using a secure digital device
US10666688B2 (en) 2014-02-13 2020-05-26 Cupp Computing As Systems and methods for providing network security using a secure digital device
US9762614B2 (en) 2014-02-13 2017-09-12 Cupp Computing As Systems and methods for providing network security using a secure digital device
US11743297B2 (en) 2014-02-13 2023-08-29 Cupp Computing As Systems and methods for providing network security using a secure digital device
US10291656B2 (en) 2014-02-13 2019-05-14 Cupp Computing As Systems and methods for providing network security using a secure digital device
US9407654B2 (en) 2014-03-20 2016-08-02 Microsoft Technology Licensing, Llc Providing multi-level password and phishing protection
US9906539B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
US9906554B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
US20170034211A1 (en) * 2015-07-27 2017-02-02 Swisscom Ag Systems and methods for identifying phishing websites
US10708302B2 (en) * 2015-07-27 2020-07-07 Swisscom Ag Systems and methods for identifying phishing web sites
TWI628941B (en) * 2015-10-22 2018-07-01 趨勢科技股份有限公司 Phishing detection by login page census

Similar Documents

Publication Publication Date Title
US8321934B1 (en) Anti-phishing early warning system based on end user data submission statistics
US11818169B2 (en) Detecting and mitigating attacks using forged authentication objects within a domain
US11470108B2 (en) Detection and prevention of external fraud
US20220053013A1 (en) User and entity behavioral analysis with network topology enhancement
US11582207B2 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US11968227B2 (en) Detecting KERBEROS ticket attacks within a domain
Holm et al. An expert-based investigation of the common vulnerability scoring system
US11818150B2 (en) System and methods for detecting and mitigating golden SAML attacks against federated services
US11757849B2 (en) Detecting and mitigating forged authentication object attacks in multi-cloud environments
US20200311630A1 (en) Adaptive enterprise risk evaluation
US12041091B2 (en) System and methods for automated internet- scale web application vulnerability scanning and enhanced security profiling
US12058177B2 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
Sheng et al. An empirical analysis of phishing blacklists
Yen et al. An epidemiological study of malware encounters in a large enterprise
RU2607229C2 (en) Systems and methods of dynamic indicators aggregation to detect network fraud
US8312536B2 (en) Hygiene-based computer security
US9830453B1 (en) Detection of code modification
US8689341B1 (en) Anti-phishing system based on end user data submission quarantine periods for new websites
US11960604B2 (en) Online assets continuous monitoring and protection
CN107682345B (en) IP address detection method and device and electronic equipment
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
Massa et al. A fraud detection system based on anomaly intrusion detection systems for e-commerce applications
JP6623128B2 (en) Log analysis system, log analysis method, and log analysis device
US8214907B1 (en) Collection of confidential information dissemination statistics
US8266704B1 (en) Method and apparatus for securing sensitive data from misappropriation by malicious software

Legal Events

Date Code Title Description
AS Assignment

Owner name: SYMANTEC CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:COOLEY, SHAUN;SOBEL, WILLIAM E.;SIGNING DATES FROM 20080430 TO 20080501;REEL/FRAME:020904/0085

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: JPMORGAN, N.A., NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNORS:SYMANTEC CORPORATION;BLUE COAT LLC;LIFELOCK, INC,;AND OTHERS;REEL/FRAME:050926/0560

Effective date: 20191104

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

AS Assignment

Owner name: NORTONLIFELOCK INC., CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:SYMANTEC CORPORATION;REEL/FRAME:053306/0878

Effective date: 20191104

AS Assignment

Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH CAROLINA

Free format text: SECURITY AGREEMENT;ASSIGNOR:NORTONLIFELOCK INC.;REEL/FRAME:062220/0001

Effective date: 20220912

Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH CAROLINA

Free format text: NOTICE OF SUCCESSION OF AGENCY (REEL 050926 / FRAME 0560);ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:061422/0371

Effective date: 20220912

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12